Cyber Incident Victim: Made in Oregon
Date:
Feb 2020
Location:
United States of America
Summary
A regional retailer experienced a sustained six-month compromise of its e-commerce platform, exposing customer names, billing and shipping addresses, email addresses, and credit card information. Approximately 7,800 online purchasers were notified of potential data exposure, with a small number subsequently experiencing fraudulent card activity; phone transactions remained unaffected. The organization initiated law enforcement reporting, internal investigations, and complimentary credit monitoring for impacted individuals while implementing enhanced security measures to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
An unauthorized party gained access to the e-commerce site of Made in Oregon, a regional gift retailer with five Portland-area stores, between February 1, 2020, and August 31, 2020. The breach persisted for six months before detection, compromising customer data from online purchases made during this period. Exposed information included names, billing addresses, shipping addresses, email addresses, and credit card details. The company identified 7,800 affected customers and mailed notification letters approximately two months after the breach window closed. A limited number of confirmed fraud cases occurred among these customers, with owner Verne Naito characterizing fraudulent card usage incidents as "very, very small" while acknowledging all online purchasers faced potential compromise. Customers who made purchases by phone during the breach period were not impacted.
Made in Oregon reported the incident to law enforcement and initiated an internal investigation to determine the breach's root cause and full scope. The company provided complimentary credit monitoring services for one year to affected individuals as a protective measure. Following containment, the retailer implemented undisclosed additional security measures aimed at preventing future breaches. No technical details regarding the intrusion method, attacker identity, or specific system vulnerabilities were publicly disclosed. The breach highlighted operational risks associated with online retail platforms during a period of increased e-commerce activity, though the company maintained physical store transactions remained unaffected throughout the incident.